Safe reporting route
A responsible report should be submitted privately and should include the affected URL, description of the concern, evidence, browser or tool context, time observed and enough reproduction steps for safe investigation.
Governance & Legal
Responsible Disclosure Policy
This policy explains how security researchers or visitors should report suspected security issues responsibly.
This page is written for website visitors, procurement teams, compliance reviewers and prospective customers. It is intended to make EUAIC’s website terms and policy position clear without pretending to be legal advice.
AIEU
Read policy
Check scope
Review responsibilities
Contact EUAIC
Govern
Govern
Do not access data
Reporters must not access, copy, alter, delete, download or disclose data. They must not attempt persistence, privilege escalation beyond a minimal proof of concept, social engineering, physical attacks, denial of service or public disclosure before review.
Good-faith handling
Good-faith reports that follow this policy can help improve security. This policy does not authorise testing, create a bug bounty, waive legal rights or guarantee payment.
Investigation and response
Reports should be triaged based on severity, reproducibility, affected systems and business impact. Where appropriate, fixes may be prioritised, monitored and documented.
Safe harbour limitation
Following this policy does not create automatic legal protection or permission to test. It explains how concerns should be reported safely. Any active testing, scanning, exploitation or access attempt requires written authorisation in advance.
Report quality
High-quality reports are factual, limited and reproducible. They avoid exaggeration, avoid data exposure, explain potential impact and include enough technical context for the issue to be investigated without causing harm.
Coordinated handling
Security issues should be handled privately until a fix or decision has been made. Public disclosure before responsible review can increase risk to systems, visitors and customers.
How this policy should be read
This page is written for website visitors and corporate reviewers. It should be read together with the Legal Notice, Privacy Policy, Cookie Policy and Terms of Use. Where a customer has a signed agreement, order form, statement of work, data processing addendum or service schedule, that document will take priority over this general website wording for the relevant service.
Contact and review
Questions about this policy can be raised through the EUAIC contact route. A useful enquiry should identify the page, the concern, the affected service or communication, and any relevant reference. Policies should be reviewed when the website, service model, supplier stack, cookie configuration, platform features or customer contracting process changes.
Important note
These website policies are written for clear corporate communication. They do not replace a signed agreement, formal legal advice, regulatory advice, security assurance or a customer-specific data processing addendum.
Legal pages
Related EUAIC policies
Use these pages to review privacy, cookies, terms, security, accessibility and responsible AI information in a structured way.
Privacy PolicyUnderstand how EUAIC handles website enquiries, business contact details, communication records, privacy rights and retention.TermsRead EUAIC website terms covering acceptable access, intellectual property, no legal advice, external links and liability boundaries.AccessibilityRead EUAIC accessibility principles for responsive layouts, readable structure, clear navigation and inclusive website improvement.Legal CentreAccess EUAIC legal information including privacy, cookies, terms, legal notice, security, GDPR, accessibility and responsible AI policies.Cookie PolicyRead how the EUAIC website may use essential cookies, analytics cookies, security technologies and visitor preferences.Acceptable UseReview acceptable use expectations for EUAIC website access, enquiry forms, security, communication and responsible conduct.GDPR ComplianceReview EUAIC GDPR principles for website enquiries, data minimisation, retention, rights requests and responsible communication.Data ProcessingRead EUAIC data processing information covering customer instructions, controller and processor roles, security and sub-processor review.Security StatementReview EUAIC security principles for website protection, access control, monitoring, maintenance and responsible reporting.Sub-processorsReview how EUAIC may approach third-party providers, hosting, infrastructure, analytics, communication tools and customer review.Service LevelsUnderstand EUAIC service level themes for availability, planned maintenance, support expectations and incident handling.Refunds & CancellationReview EUAIC refund and cancellation principles for subscriptions, implementation, consulting, custom work and agreed contracts.Anti-SpamRead EUAIC anti-spam principles for responsible business emails, communication quality, unsubscribe handling and sender reputation.Intellectual PropertyReview EUAIC intellectual property rules for website content, branding, graphics, software descriptions and design materials.ComplaintsLearn how to raise EUAIC website, enquiry, service, privacy, security, accessibility or billing concerns for professional review and response.Responsible AIReview EUAIC responsible AI principles covering governance, oversight, transparency, evidence, risk review and accountability.AI Governance DisclaimerRead the EUAIC disclaimer explaining that AI compliance information is general and does not replace professional advice.Legal NoticeReview EUAIC legal notice information including company identity, website ownership, intellectual property and professional advice limitations.Data RetentionReview EUAIC data retention principles for enquiries, communication records, website logs, service records and deletion requests.Modern SlaveryRead EUAIC’s modern slavery and ethical trading statement for responsible business conduct and supplier awareness.Equality & InclusionRead EUAIC’s equality, diversity and inclusion statement for respectful access, communication and responsible business culture.
Questions
Frequently asked questions
Is there a bug bounty?
No. This policy does not create a bounty or payment obligation.
Can data be accessed to prove an issue?
No. Do not access, download or disclose data.
Does this authorise testing?
No. Written permission is required for active testing.